Poison Apple? “Kissing” picture spreads Trojan to Mac users

A picture of a smooching couple actually delivers a kiss of death to Mac OS X users – it’s a new Mac Trojan which opens a backdoor on users’ machines. It’s the second piece of Mac malware detected in a week, and was picked up on VirusTotal, sent in by a user in Belarus.

Mac security experts Intego said in a blog post, “A new Mac Trojan has been discovered that creates a backdoor on an affected user’s machine. At the time of writing, the Command and Control (C&C) server is down and no longer sending commands to affected users. This appears to be a targeted attack, though the method of delivery is not yet known. So, while this has been affecting users in the wild, the overall threat level appears to be low.”
The Trojan attempts to download an image file of a logo for hacktivist group Syrian Electronic Army. It’s not clear whether the malware is the work of the group.

“At this time, we are unaware how it is sent to affected users,” Intego said. “The malware could likely be sent by email or placed on a website as part of a watering hole attack, for instance. Depending on how the file is received, the behavior of the file in OS X may be slightly different.”

Intego says that when installed, the Trojan attempts to conceal itself, and disguise itself as an ordinary image file, and gets to work.

“ It then opens the JPEG image inside the Application bundle with the standard OS X application Preview, which fools the user into thinking that it was just an image file.The Trojan application installs a permanent backdoor that allows the attacker to send a variety of commands,” Intego said.

In a detailed blog post exploring the myths around Mac malware, ESET Senior Researcher Stephen Cobb says, “Many people have repeated the statement that Macs can’t catch viruses. There may be a qualified sense in which that is true, but it obscures the wider reality that Macs can, and do, get hit with other forms of malicious software.”

Last week, Mac malware targeting Tibetan activists was shared on Virus Total. ESET reports on previous malware targeting Tibetan activists can be found here.

ESET Senior Research Fellow David Harley says, in a post on Mac Virus, “ I suspect that Apple will slipstream detection for [the Tibet malware] into XProtect.plist sooner rather than later. In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.”

Harley is to deliver a presentation on Mac malware at this year’s Virus Bulletin 2013 conference in Berlin, Germany, from 2-4 October.